Multiple Vulnerabilities Patched in WordPress Download Manager
On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.
The plugin’s developer responded to our initial contact in less than an hour, and we provided a confidential full disclosure the same day, on May 4, 2021. A patched version of the WP Download Manager plugin was released the next day, on May 5, 2021.
The Wordfence Firewall provides built-in protection against these vulnerabilities to all Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence.
Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34638
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
The WordPress Download Manager plugin allows the use of templates to change how download pages are displayed. Although there were some protections in place to protect against directory traversal, these were woefully insufficient. As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s wp-config.php
file by adding a new download and performing a directory traversal attack using the file[page_template]
parameter.
Upon previewing the download, the contents of the wp-config.php
file would be visible in the page source.
Since the contents of the file provided in the file[page_template]
parameter were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template]
to the path of the uploaded file. This would lead to the JavaScript in the file being executed whenever the page was viewed or previewed resulting in Stored Cross-Site Scripting. As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session.
Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34639
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
Prior to our findings, the WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the upload_files
capability to upload files with php4
extensions as well as other potentially executable files. While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions. For instance, it was possible to upload a file titled info.php.png
. This file would be executable on certain Apache/mod_php configurations that use an AddHandler
or AddType
directive.
Although the CVSS score of this vulnerability is significantly higher than that of the previous vulnerability, it is much less likely to be exploited in the real world due to the presence of an .htaccess
file in the downloads directory making it difficult to execute any uploaded files.
Disclosure Timeline
May 4, 2021 – We finish researching vulnerabilities in WordPress Download Manager and initiate contact with the plugin’s developer. We receive a response in less than an hour and send over full disclosure.
May 5, 2021 – A patch is released
Conclusion
In today’s article, we covered two vulnerabilities in WordPress Download Manager, including a medium-severity vulnerability that could be used to take over a site in multiple ways, as well as a high-severity vulnerability that would be much more difficult to exploit. These vulnerabilities are an excellent example of why analysts look at the mechanism of each vulnerability in order to judge potential impact, as the CVSS score rarely tells the whole story.
All Wordfence sites, including Wordfence Premium customers and those still running the free version of Wordfence, are fully protected by the Wordfence Firewall’s built-in mitigations. Nonetheless, if you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to ensure their site has been updated.
Special thanks to the developer of the WordPress Download Manager plugin, W3 Eden, for their excellent and timely response.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
2:20 pm
New vuln just dropped.
3:26 pm
Indeed it did, Sir. Indeed it did.
12:38 pm
Does this vulnerability also apply to Download Manager Pro?
12:46 pm
Hi Jeff,
While we didn't specifically test on Download Manager Pro, it should have have all the capabilities of the free version and hence all of the same vulnerabilities, so if you're using an older version of Download Manager Pro I do recommend updating.